DefaultOpenSSLContextFactory should have been deprecated a long time ago. It’s insecure, and in particular does not set a cipher string, so it uses DEFAULT. That will have all kinds of messed up priorities. For that reason, you should adjust your code to use OpenSSLCertificateOptions or, even better, use the TLS endpoint directly.The TL;DR is: yes, it seems that DefaultOpenSSLContextFactory produces a context that is genuinely unacceptable for HTTP/2.
Indeed it all works fine with endpoints. Thanks!
I was not aware that DefaultOpenSSLContextFactory is deprecated. There is
no warning about it anywhere. It seems that is is very widely used by
users, I just did some github search now and found around 5k occurences of
people using it:
https://github.com/search?utf8=%E2%9C%93&q=defaultopensslcontextfactory&type=Code&ref=searchresults
If you google for "ssl in twisted" you will also find articles that
recommend it. Since so many people use it, maybe it could be updated to be
more secure? If it does not make sense to update it then perhaps it would
be good to deprecate it so that it does not confuse users?
2016-07-12 9:56 GMT+02:00 Tristan Seligmann
On Tue, 12 Jul 2016 at 09:43 Cory Benfield
wrote: For that reason, you should adjust your code to use OpenSSLCertificateOptions or, even better, use the TLS endpoint directly.
The exported name of this class is actually just "CertificateOptions", fwiw.
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python